Update GitHub Actions workflows and pin action versions

coliff · coliff · commit 406114017150 · 2025-09-08T23:29:54.000+09:00
Standardized YAML quoting style, added 'persist-credentials: false' to checkout steps, pinned actions/checkout and other actions to specific commit SHAs for improved security, and fixed a typo in the super-linter workflow. These changes enhance workflow reliability and security.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,14 +1,14 @@
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
     branches:
       - main
-      - "!dependabot/**"
+      - '!dependabot/**'
   pull_request:
     branches:
       - main
-      - "!dependabot/**"
+      - '!dependabot/**'
   workflow_dispatch:
 
 jobs:
@@ -23,11 +23,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: "javascript"
+          languages: 'javascript'
           queries: +security-and-quality
 
       - name: Perform CodeQL Analysis
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
@@ -1,4 +1,4 @@
-name: "Check spelling"
+name: 'Check spelling'
 on:
   push:
     branches: [main]
@@ -13,8 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v5
-      - uses: streetsidesoftware/cspell-action@v7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0
         with:
           check_dot_files: false
           incremental_files_only: true
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -24,12 +24,13 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter/slim@v8
+        uses: super-linter/super-linter/slim@6916783267451c87693968017594a67447945328 # v8.11.1
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: '/test/'
@@ -49,4 +50,4 @@ jobs:
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_JSCPD: false
           VALIDATE_NATURAL_LANGUAGE: false
-          VALIDTAE_YAML_PRETTIER: false
+          VALIDATE_YAML_PRETTIER: false
